A couple of weeks ago in this
publication Winn Schwartau pointed out the stupidity of companies trying to
invent their own encryption technologies. (nww Aug 27, pp 45, "To Hell
With Proprietary Encryption Algorithms")A good column but he only covered part of the stupidity --
the stupidity he did not cover is legally mandated.

The Digital Millennium
Copyright Act (DMCA), signed into law by President Clinton on October 28th,
1998, (available at http://www.eff.org/ip/DMCA/hr2281_dmca_law_19981020_pl105-304.html)
prohibits "any technology, product, service, device, component, or part
thereof, that ... is primarily designed or produced for the purpose of
circumventing protection afforded by a technological measure that effectively
protects a right of a copyright owner."

But in outlawing tools for
circumventing protection it is also outlawing the tools that researchers use to
test security systems.The only
way to know if an encryption system works is to try to break it.But having software that could be used
to do this is outlawed by the DMCA.So if someone manages to stumble on a hole in some security system which
could conceivably be used to protect some copyrighted material, that covers
just about all security systems, they can not report the problem without
opening themselves up for prosecution for possession of the tools they used to
find the hole.

In effect this law says that
when some company or organization goes against Winn's good advice and hires
some self-identified crypto experts to create a proprietary protection scheme
and that scheme turns out to be as an effective a barrier as wet tissue paper,
no one can tell them the vulnerability without risk of arrest.This law mandates ignorance.This makes about as much sense as
outlawing reporting on deaths that occur during drug trials.In effect, the law mandates crappy
security.

And we have recently seen a
lot of security is not as good as the inventers thought it was. The list is
getting longer by the day: DVDs, 802.11 Wired Equivalent Privacy (WEP), most
watermark schemes, Adobe e-books, and, reported yesterday, maybe even
Microsoft's e-books.Who knows
what other systems have been broken but not reported on because of the threat
of the DMCA.

Security is hard. It is very
hard for a developer to find all the holes in a design or implementation. (Just
ask Microsoft!) Making it illegal for people to report vulnerabilities when
they show up does not add to security.(If that sounds like a reach from the DMCA see:
http://www.interesting-people.org/200108/0189.html)

If you implement
security-related software the DMCA mandates that you stay in the dark if
someone manages to break your security, on purpose or by accident.It mandates that no one but the bad
guys know about vulnerabilities.It mandates that US companies create and use poor security on the
Internet in the face of concerted attacks from many parts of the world. This is
breathtakingly stupid.

It may also be an
unconstitutional abridgement of free speech, time and the courts will
tell.But meanwhile - rest well,
knowing that the US government is protecting the ability of the bad guys to
exploit holes in crappy software.

disclaimer: Harvard is not
associated with anything crappy so the above must be my own opinion.